Asterisk on CentOS 9, TLS problem

I found no problems running Asterisk on CentOS 7 servers and using TLS clients on both chan_sip and PJSIP, using tlsv1. When moving Asterisk on CentOS 9, TLS seems not able to work. Regardless of the configuration I may use, the problem is always the same:

[2024-06-24 17:57:42] WARNING[1309216]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <167772351> <error:0A0000BF:SSL routines::no protocols available> len: 0 peer: 213...85:42778

I have tried to use the exact configuration listed in configs/samples/pjsip.conf without any success.

Something like:

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5081
cert_file=/etc/letsencrypt/live/pbx.****.com/cert.pem
priv_key_file=/etc/letsencrypt/live/pbx.****.com/privkey.pem
method=tlsv1
cipher=ADH-AES256-SHA,ADH-AES128-SHA

Even if I try with a browser to connect to port 5081 (PJSIP TLS), the result is always “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”

If I try to check with the command

nmap --script ssl-enum-ciphers -p 5081 pbx.****.com

But no ciphers are detected.

I have also tried without specifying the method and the cipher, but the result is still the same

OpenSSL on CentOS 9 server is version 3.0.7

Where am I wrong?

ADH-AES256-SHA,ADH-AES128-SHA are deprecated and insecure, odd are they have been removed on earlier versions of openssl, have you checked what ciphers are available ? try : openssl ciphers -v or openssl ciphers -v | grep TLSv1

I have checked the list of ciphers returned from the “openssl chiphers -v” command carefully selecting one or more of them, doesn’t fix the problem. Has there anyone a working pjsip.conf with TLS on CentOS 9 and derivative?

Your problem is likely TLSv1 usage, which is considered insecure and distros have taken to disabling support for it in OpenSSL. They only allow 1.2 and above. I vaguely recall you have to enable legacy support in OpenSSL to allow it to work, but don’t recall the specifics.

1 Like

There seems no way. The server is on “legacy” openssl verified with “update-crypto-policies --show”. The server has been rebooted and asterisk recompiled, but the only available method is still TLS 1.3 which has very little support among phones.

What version of Asterisk are you running?

I am running Asterisk 20.8.0, but I have tried also on Asterisk 18.23.1. These asterisk versions are working great with CentOS 7, but on CentOS 9 with openssl 3.07, can’t work with anything below TLS 1.3. OpenSSL has been set already in “legacy mode”

# update-crypto-policies --show
LEGACY

Try this:
cipher=DEFAULT,@SECLEVEL=1
method=tlsv1_2

This will dynamically configure openssl to a lower security level for Asterisk (only).

Thank you, that fixed PJSIP protocol. Is there a similar recipe for chan_sip (I know it is no more supported)

You would probably have to set openssl to a lower security level (which affects the whole server). That can be done as follows in /etc/ssl/openssl.cnf:

Go down to [openssl_init] and below that line add:

ssl_conf = ssl_sect

Then go to the bottom of the file and add:

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1

Adding more details:
If there is no “[openssl_init]” follow this instead of above:
At the top of the file add:

openssl_conf = default_conf

At the bottom of the file add:

[default_conf]
ssl_conf = ssl_sect

Then add the whole bottom section shown in my post before this one. RH varieties will probably use this format.

Unfortunately it is not working yet for chan_sip. PJSIP is good.

Thanks to cable instructions, here is a fast recipe to make TLS1.2 work on CentOS 9 for PJSIP.

  • reconfigure the crypto policies to “legacy” by running
update-crypto-policies --set LEGACY
  • reboot the server

  • verify the crypto policies being updated

update-crypto-policies --show
  • configure pjsip.conf as following
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5081
cert_file=/etc/letsencrypt/live/pbx.yourdomain.com/cert.pem
priv_key_file=/etc/letsencrypt/live/pbx.yourdomain.com/privkey.pem
method=tlsv1_2
cipher=DEFAULT,@SECLEVEL=1
  • verify using openssl
openssl s_client -connect pbx.yourdomain.com:5081 -cipher ALL